On Wed Nov 25, 2020 at 4:11 AM HST, Petr Štetiar wrote: > Baptiste Jonglez <bapti...@bitsofnetworks.org> [2020-11-25 12:41:18]: > > Hi, > > > For the imagebuilder, it increases the *total* build time (not just > > download time!) by +50%: > > > > http://lists.openwrt.org/pipermail/openwrt-devel/2020-September/031406.html > > I don't consider 10 seconds dramatic increase of time, but it of course > depends on your use case. If you aim for faster builds you can disable > the > HTTPS (one sed command) by yourself, proxy/cache the downloads etc. > > One of the project's goal is standard installation secure by default, > which > for me means HTTPS in this case and I'm willing to make this 10 second > tradeoff. > > > On a device, I suspect it will be much worse but I can't currently test > > that. It shouldn't be too hard, just make sure to clean opkg files > > between each test to have a proper apple-to-apple comparison. > > You hardly download 100 packages on device. You don't care if it takes > two > minutes, because you're not doing it every day, it's running in the > background > etc. > > > The main problem is the lack of persistent connection, which means doing a > > full expensive TLS exchange for each separate file download, however small > > it is. It's a lot of crypto for a small CPU on devices, > > You can turn off HTTPS if you prefer speed over maximum security > > > and if it's widely deployed it will also impact the load on the download > > server. > > There should be CDN from Fastly soon, hopefully before the release, SFC > has > already revisited the deal/documents and AFAIK it's waiting for the > final > signature. > > > Thus, it's not reasonable to have this by default in a release. > > I don't agree. It has to be default in the next release :-) > > > I'm working on adding persistent connection support to opkg but it's not > > straightforward. > > Great, thanks!
I agree with all your points, it should be supported and it should be default. However worse than no security seem a false sense of security. Based on the discussion on IRC I understand that certificates are inadequately validated, allowing encryption with faked certs. Until somebody jumps on ustream-ssl and fixes the WolfSSL implementation, we should consider to disable it. Best, Paul _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel